Tuesday, March 9, 2010

Skype Chat Carver from RAM - Skypeex

I’ve been teaching my RAM analysis course for about a year now and enjoy working with Volatility and some other open source tools. I’ve been making use of Jeff Bryners cool little Python script (http://www.jeffbryner.com/code/pdgmail) to extract Gmail artifacts and was motivated to do the same for Skype chat and any other Skype stuff that might be hanging around in a RAM dump.

The only problem was that, although I’ve done a bit of programming in the past, Python was a long hissy thing you wouldn’t want to meet on a dark night. Having gone through the pain of programming ‘Hello, world’, simple Pokemon text games for my lad and tedious maths exercises, I’ve actually managed to produce something meaningful.

The idea is to extract Skype chat lines with their associated meta-data, which includes timestamps, the Skype names in the conversation and the author etc.

The complete Skype line in RAM starts with the magic value ‘INTO Messages” followed by column headers then the values of the chat line including the chat body.

This is very much work in progress but will simply do the following:-

1. Run Strings against your RAM dump2. Run the Skypeex tool against the resulting Strings file3. It will carve out all the Skype chat lines it can see as well as trying to find and extract all the Skype sessions and ‘orphan’ chats that have been created.

It’s interesting to note that the latter process even seems to find the ‘spam’ message sessions that you sometimes receive.

This has been tested on dump files from Windows XP2 and XP3 with Skype 3.8 through 4.2.I don't currently have a Windows 7 box up and running, if anyone has one available please let me know.

Please do not hesitate to get in touch with ideas and improvements.

Usage:

There are 2 versions in the zip file.

skypeex.py is designed for use under Python 3.1.1 and above

skypeex26 is designed for use under Python 2.6

Due to changes with several commands between 2.6 and 3 they are not interchangeable, although the differences in this code are only in the input and print lines.For best testing results, have several Skype IM chats with friends and then image your RAM. On a windows box, use any tool to grab RAM (tested on Win XP SP2/3):

The output files will be written to the folder where the script is run from. The output is a CSV file with chats (incl headers) and a txt file with extracted skype sessions and carved orphan chats. Please expect many duplicates and some false positives.

In the CSV file the 'Timestamp' column is the date and time of the message in UNIX time. Sorting on this column gives you a timeline of messages. I'm writing a UNIX time decoder but it doesn't work yet.

This searches for the magic value, strips out the rubbish and returns the comma delimited values we are interested in. This includes:-

Chatname – the initiator and recipient of the session Timestamp – The time and data the message was sent in UNIX time Author – the sender of the message From_dispname – the screen name being used by the sender Body_xml – the body of the message, can slip into the chat_msg column GUID – session identifier

This time we look for the existence of the # and /$ characters in the same line. This refers to the pattern written to RAM of each Skype session, which looks like this:

#nfurneaux/$bennyboy1982;810b0fd9ef04db08

This shows the 2 persons in the Skype session with the first name being the initiator of the conversation. I’m still trying to figure out the hex value at the end, but it seems to be a GUID session number, any ideas let me know.

We are able to see the actual Skype name as well as the screen name being used during the session. The cool thing is that we also grab the next line with often includes actual chat associated with the recovered session. Hence we capture:-

Hi to mo3578, sorry I missed your post. The answer should also answer Shlomo's question too.

Strings is a program (UNIX really) that parses through a file and by default extracts all the ACSII test strings 3 characters long and above. Its useful in a RAM dump for getting rid of all the non-human readable stuff.

There is a ported version to Windows on the Helix disk 2008/2009 (not pro) available from www.e-fense.com.

Simply open a command shell (from the Helix GUI if you are using it) and type:-

strings ramdump.dd > c:\stringsout.txt

..where ramdump.dd is the ramdump you have taken and the txt file is the output file name you have chosen

Virtually any Linux distro will have strings too, just the pathing will be different, for example:-

strings /root/ram.dd > /media/sda1/stringsout.txt

I do intend to build the strings capability into the tool but Ive been a tad busy.

Contact details

About Me

I've been working with computers since my ZX81, closely followed by an Oric 1 (if anyone remembers those?). In the past 11 years I've been working in the area of computer forensic investigation and research in both the Law enforcement and Corporate worlds.
I have trained 100's of investigators in the past few years in the area of Live Forensics and RAM Analysis.
Lately I have been working with Law enforcement agencies across Europe and the USA in both an operational and training capacity.

Computer forensics is an evolving science with constantly developing tools and techniques. CSITech, led by Nick Furneaux, is striving to be at the forefront of these developments working on tools and techniques for the collection and analysis of volatile data for both the Law Enforcement and Corporate worlds.